Access control

Overview

The Cloud Healthcare API uses Identity and Access Management (IAM) for access control.

In the Cloud Healthcare API, access control can be configured at the project, dataset, or data store level. For example, you can grant access to all datasets within a project to a group of developers. To learn how to set up and use IAM with the Cloud Healthcare API, see Controlling access and Controlling access to other products.

For a detailed description of IAM and its features, see the IAM documentation. In particular, see the section on managing IAM policies.

Every Cloud Healthcare API method requires the caller to have the necessary permissions. See Permissions and Roles for more information.

Permissions

This section summarizes the Cloud Healthcare API permissions that IAM supports.

Required permissions

The following tables list the IAM permissions that are associated with the Cloud Healthcare API. Method names are shortened in the table; each method's full name begins with projects.locations.

Annotation store method Required permissions
datasets.annotationStores.create healthcare.annotationStores.create on the parent dataset.
datasets.annotationStores.delete healthcare.annotationStores.delete on the requested annotation store.
datasets.annotationStores.get healthcare.annotationStores.get on the requested annotation store.
datasets.annotationStores.list healthcare.annotationStores.list on the parent dataset.
datasets.annotationStores.patch healthcare.annotationStores.update on the requested annotation store.
datasets.annotationStores.annotations.create healthcare.annotations.create on the parent annotation store.
datasets.annotationStores.annotations.delete healthcare.annotations.delete on the requested annotation record.
datasets.annotationStores.annotations.get healthcare.annotations.get on the requested annotation record.
datasets.annotationStores.annotations.list healthcare.annotations.list on the parent annotation store.
datasets.annotationStores.annotations.patch healthcare.annotations.update on the requested annotation record.
Datasets method Required permissions
datasets.create healthcare.datasets.create on the parent Google Cloud project.
datasets.deidentify
  • healthcare.datasets.deidentify on the source dataset.
  • healthcare.datasets.create on the Google Cloud project containing the destination dataset.
datasets.delete healthcare.datasets.delete on the requested dataset.
datasets.get healthcare.datasets.get on the requested dataset.
datasets.getIamPolicy healthcare.datasets.getIamPolicy on the requested dataset.
datasets.list healthcare.datasets.list on the parent Google Cloud project.
datasets.patch healthcare.datasets.update on the requested dataset.
datasets.setIAMPolicy healthcare.datasets.setIamPolicy on the requested dataset.
DICOM store method Required permissions
datasets.dicomStores.create healthcare.dicomStores.create on the parent dataset.
datasets.dicomStores.deidentify
  • healthcare.dicomStores.deidentify on the source DICOM store.
  • healthcare.dicomStores.dicomWebWrite on the destination DICOM store.
datasets.dicomStores.delete healthcare.dicomStores.delete on the requested DICOM store.
datasets.dicomStores.export
  • healthcare.dicomStores.export on the requested DICOM store.
  • When exporting to Cloud Storage: roles/storage.objectAdmin granted to the project's Cloud Healthcare Service Agent service account. See Exporting data to Cloud Storage for instructions.
  • When exporting to BigQuery: roles/bigquery.dataEditor and roles/bigquery.jobUser granted to the project's Cloud Healthcare Service Agent service account. See DICOM store BigQuery permissions for instructions.
datasets.dicomStores.get healthcare.dicomStores.get on the requested DICOM store.
datasets.dicomStores.getIamPolicy healthcare.dicomStores.getIamPolicy on the requested DICOM store.
datasets.dicomStores.import
  • healthcare.dicomStores.import on the requested DICOM store.
  • roles/storage.objectViewer granted to the project's Cloud Healthcare Service Agent service account. See Importing data from Cloud Storage for instructions.
datasets.dicomStores.list healthcare.dicomStores.list on the parent dataset.
datasets.dicomStores.patch healthcare.dicomStores.update on the requested DICOM store.
datasets.dicomStores.searchForInstances healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.searchForSeries healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.searchForStudies healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.setIamPolicy healthcare.dicomStores.setIamPolicy on the requested DICOM store.
datasets.dicomStores.storeInstances healthcare.dicomStores.dicomWebWrite on the requested DICOM store.
datasets.dicomStores.studies.delete healthcare.dicomStores.dicomWebDelete on the requested DICOM store.
datasets.dicomStores.studies.retrieveMetadata healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.retrieveStudy healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.searchForInstances healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.searchForSeries healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.storeInstances healthcare.dicomStores.dicomWebWrite on the requested DICOM store.
datasets.dicomStores.studies.series.delete healthcare.dicomStores.dicomWebDelete on the requested DICOM store.
datasets.dicomStores.studies.series.retrieveMetadata healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.retrieveSeries healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.searchForInstances healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.delete healthcare.dicomStores.dicomWebDelete on the requested DICOM store.
datasets.dicomStores.studies.series.instances.retrieveInstance healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.retrieveMetadata healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.retrieveRendered healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.frames.retrieveFrames healthcare.dicomStores.dicomWebRead on the requested DICOM store.
datasets.dicomStores.studies.series.instances.frames.retrieveRendered healthcare.dicomStores.dicomWebRead on the requested DICOM store.
FHIR store method Required permissions
datasets.fhirStores.create healthcare.fhirStores.create on the parent dataset.
datasets.fhirStores.deidentify
  • healthcare.fhirStores.deidentify on the source FHIR store.
  • healthcare.fhirResources.update on the destination FHIR store.
datasets.fhirStores.delete healthcare.fhirStores.delete on the requested FHIR store.
datasets.fhirStores.export
  • healthcare.fhirStores.export on the requested FHIR store.
  • When exporting to Cloud Storage: storage.objects.create, storage.objects.delete, and storage.objects.list granted to the project's Cloud Healthcare Service Agent service account. See Exporting FHIR resources to Cloud Storage for instructions.
  • When exporting to BigQuery: roles/bigquery.dataEditor and roles/bigquery.jobUser granted to the project's Cloud Healthcare Service Agent service account. See FHIR store BigQuery permissions for instructions.
datasets.fhirStores.get healthcare.fhirStores.get on the requested FHIR store.
datasets.fhirStores.getIamPolicy healthcare.fhirStores.getIamPolicy on the requested FHIR store.
datasets.fhirStores.import
  • healthcare.fhirStores.import on the requested FHIR store.
  • storage.objects.get and storage.objects.list granted to the project's Cloud Healthcare Service Agent service account. See Importing FHIR resources from Cloud Storage for instructions.
datasets.fhirStores.list healthcare.fhirStores.list on the parent dataset.
datasets.fhirStores.patch healthcare.fhirStores.update on the requested FHIR store.
datasets.fhirStores.setIamPolicy healthcare.fhirStores.setIamPolicy on the requested FHIR store.
datasets.fhirStores.fhir.Observation-lastn healthcare.fhirStores.searchResources on the parent FHIR store.
datasets.fhirStores.fhir.Patient-everything healthcare.fhirResources.get on each resource returned.
datasets.fhirStores.fhir.Resource-purge healthcare.fhirResources.purge on the requested FHIR store resource.
datasets.fhirStores.fhir.capabilities healthcare.fhirStores.get on the requested FHIR store.
datasets.fhirStores.fhir.conditionalDelete
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.delete on the requested FHIR store resource.
datasets.fhirStores.fhir.conditionalPatch
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.patch on the requested FHIR store resource.
datasets.fhirStores.fhir.conditionalUpdate
  • healthcare.fhirStores.searchResources on the parent FHIR store.
  • healthcare.fhirResources.update on the requested FHIR store resource.
datasets.fhirStores.fhir.create
  • For conditional create interactions: healthcare.fhirResources.create and healthcare.fhirStores.searchResources on the parent FHIR store.
  • For create interactions: healthcare.fhirResources.create on the parent FHIR store.
datasets.fhirStores.fhir.delete healthcare.fhirResources.delete on the requested FHIR store resource.
datasets.fhirStores.fhir.executeBundle healthcare.fhirResources.executeBundle on the requested FHIR store, and additional permissions (such as healthcare.fhirResources.create and healthcare.fhirResources.update) corresponding to individual operations within the bundle. If the API caller has healthcare.fhirResources.create permissions but not healthcare.fhirResources.update permissions, the caller can only execute bundles containing healthcare.fhirResources.create operations.
datasets.fhirStores.fhir.history healthcare.fhirResources.get on the requested FHIR store resource and each of its versions.
datasets.fhirStores.fhir.patch healthcare.fhirResources.patch on the requested FHIR store resource.
datasets.fhirStores.fhir.read healthcare.fhirResources.get on the requested FHIR store resource.
datasets.fhirStores.fhir.search healthcare.fhirStores.searchResources on the parent FHIR store.
datasets.fhirStores.fhir.update healthcare.fhirResources.update on the requested FHIR store resource.
datasets.fhirStores.fhir.vread healthcare.fhirResources.get on the requested FHIR store resource version.
HL7v2 store method Required permissions
datasets.hl7V2Stores.create healthcare.hl7V2Stores.create on the parent dataset.
datasets.hl7V2Stores.delete healthcare.hl7V2Stores.delete on the requested HL7v2 store.
datasets.hl7V2Stores.get healthcare.hl7V2Stores.get on the requested HL7v2 store.
datasets.hl7V2Stores.list healthcare.hl7V2Stores.list on the parent dataset.
datasets.hl7V2Stores.patch healthcare.hl7V2Stores.update on the requested HL7v2 store.
datasets.hl7V2Stores.getIamPolicy healthcare.hl7V2Stores.getIamPolicy on the requested HL7v2 store.
datasets.hl7V2Stores.setIamPolicy healthcare.hl7V2Stores.setIamPolicy on the requested HL7v2 store.
datasets.hl7V2Stores.messages.create healthcare.hl7V2Messages.create on the parent HL7v2 store.
datasets.hl7V2Stores.messages.delete healthcare.hl7V2Messages.delete on the requested HL7v2 store message.
datasets.hl7V2Stores.messages.get healthcare.hl7V2Messages.get on the requested HL7v2 store message.
datasets.hl7V2Stores.messages.ingest healthcare.hl7V2Messages.ingest on the requested HL7v2 store message.
datasets.hl7V2Stores.messages.list healthcare.hl7V2Messages.list on the parent HL7v2 store.
datasets.hl7V2Stores.messages.patch healthcare.hl7V2Messages.update on the requested HL7v2 store message.
Operation method Required permission
datasets.operations.get healthcare.operations.get on the requested operation.
datasets.operations.list healthcare.operations.list on the requested operation.
datasets.operations.cancel healthcare.operations.cancel on the requested operation.

Roles

The following table lists the Cloud Healthcare API IAM roles, including the permissions associated with each role:

Annotations role Permissions
roles/healthcare.annotationStoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.annotationStores.get
  • healthcare.annotationStores.list
roles/healthcare.annotationStoreAdmin All roles/healthcare.annotationStoreViewer permissions, and:
  • healthcare.annotationStores.create
  • healthcare.annotationStores.delete
  • healthcare.annotationStores.update
roles/healthcare.annotationReader All roles/healthcare.annotationStoreViewer permissions, and:
  • healthcare.annotations.get
  • healthcare.annotations.list
roles/healthcare.annotationEditor All roles/healthcare.annotationReader permissions, and:
  • healthcare.annotations.create
  • healthcare.annotations.delete
  • healthcare.annotations.update
Datasets role Permissions
roles/healthcare.datasetViewer
  • healthcare.datasets.get
  • healthcare.datasets.list
  • healthcare.operations.get
roles/healthcare.datasetAdmin All roles/healthcare.datasetViewer permissions, and:
  • healthcare.datasets.create
  • healthcare.datasets.delete
  • healthcare.datasets.update
  • healthcare.datasets.getIamPolicy
  • healthcare.datasets.setIamPolicy
  • healthcare.datasets.deidentify
  • healthcare.operations.cancel
  • healthcare.operations.list
DICOM store role Permissions
roles/healthcare.dicomStoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.dicomStores.get
  • healthcare.dicomStores.list
roles/healthcare.dicomStoreAdmin All roles/healthcare.dicomStoreViewer permissions, and:
  • healthcare.dicomStores.create
  • healthcare.dicomStores.deidentify
  • healthcare.dicomStores.delete
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.getIamPolicy
  • healthcare.dicomStores.setIamPolicy
  • healthcare.dicomStores.update
  • healthcare.operations.cancel
roles/healthcare.dicomViewer All roles/healthcare.dicomStoreViewer permissions, and:
  • healthcare.dicomStores.export
  • healthcare.dicomStores.dicomWebRead
roles/healthcare.dicomEditor All roles/healthcare.dicomViewer permissions, and:
  • healthcare.dicomStores.import
  • healthcare.dicomStores.dicomWebDelete
  • healthcare.dicomStores.dicomWebWrite
  • healthcare.operations.cancel
FHIR store role Permissions
roles/healthcare.fhirStoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.fhirStores.get
  • healthcare.fhirStores.list
roles/healthcare.fhirStoreAdmin All roles/healthcare.fhirStoreViewer permissions, and:
  • healthcare.fhirStores.create
  • healthcare.fhirStores.deidentify
  • healthcare.fhirStores.delete
  • healthcare.fhirStores.update
  • healthcare.fhirStores.import
  • healthcare.fhirStores.export
  • healthcare.fhirResources.purge
  • healthcare.fhirStores.getIamPolicy
  • healthcare.fhirStores.setIamPolicy
  • healthcare.operations.cancel
roles/healthcare.fhirResourceReader All roles/healthcare.fhirStoreViewer permissions, and:
  • healthcare.fhirResources.get
  • healthcare.fhirStores.searchResources
  • healthcare.fhirStores.executeBundle
roles/healthcare.fhirResourceEditor All roles/healthcare.fhirResourceReader permissions, and:
  • healthcare.fhirResources.create
  • healthcare.fhirResources.delete
  • healthcare.fhirResources.patch
  • healthcare.fhirResources.update
  • healthcare.operations.cancel
HL7v2 store role Permissions
roles/healthcare.hl7V2StoreViewer All roles/healthcare.datasetViewer permissions, and:
  • healthcare.hl7V2Stores.get
  • healthcare.hl7V2Stores.list
roles/healthcare.hl7V2StoreAdmin All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2Stores.create
  • healthcare.hl7V2Stores.update
  • healthcare.hl7V2Stores.delete
  • healthcare.hl7V2Stores.getIamPolicy
  • healthcare.hl7V2Stores.setIamPolicy
  • healthcare.operations.cancel
roles/healthcare.hl7V2Ingest All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2messages.ingest
roles/healthcare.hl7V2Consumer All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2messages.get
  • healthcare.hl7V2messages.list
  • healthcare.hl7V2messages.create
  • healthcare.hl7V2messages.update
roles/healthcare.hl7V2Editor All roles/healthcare.hl7V2StoreViewer permissions, and:
  • healthcare.hl7V2messages.get
  • healthcare.hl7V2messages.list
  • healthcare.hl7V2messages.delete
  • healthcare.hl7V2messages.update
  • healthcare.hl7V2messages.create
  • healthcare.hl7V2Messages.ingest
  • healthcare.operations.cancel

Note that the roles roles/owner, roles/editor, and roles/viewer include permissions for other Google Cloud Platform services as well. For more information about roles, see Understanding roles.

Cloud Healthcare Service Agent

The Cloud Healthcare Service Agent is a shared service account in your project that Cloud Healthcare API uses to interact with other resources in Google Cloud.

For example, this service agent is used to read and write to Cloud Storage buckets, write to BigQuery, or to publish messages to Pub/Sub from the Cloud Healthcare API.

Whenever you want to execute any of the preceding actions, you must give the Cloud Healthcare Service Agent access to the relevant Cloud Storage bucket, BigQuery dataset, or Pub/Sub topic.

As you create your permission model for your project, keep in mind that granting any of the roles listed below allows the user to invoke operations that will run as the Cloud Healthcare Service Agent and have access to any data the agent has access to:

  • roles/healthcare.hl7V2StoreAdmin
  • roles/healthcare.fhirStoreAdmin
  • roles/healthcare.dicomStoreEditor
  • roles/healthcare.dicomStoreViewer

Similarly, assigning the following permissions to custom roles would also allow the user to invoke operations that will run as the Cloud Healthcare Service Agent:

  • healthcare.dicomStores.create
  • healthcare.dicomStores.update
  • healthcare.dicomStores.import
  • healthcare.dicomStores.export
  • healthcare.fhirStores.create
  • healthcare.fhirStores.update
  • healthcare.fhirStores.import
  • healthcare.fhirStores.export
  • healthcare.hl7V2Stores.create
  • healthcare.hl7V2Stores.update

For example, a person who has any import permissions can run operations that act as the Cloud Healthcare Service Agent which access any Cloud Storage bucket the Cloud Healthcare Service Agent already has read access to. Similarly, anyone who has any export permissions can run operations that act as the Cloud Healthcare Service Agent which access any bucket the service agent already has write access to.

Similarly, a person who has create or update data store permissions has the ability to configure Pub/Sub notification targets or BigQuery streaming destinations which are sent by the Cloud Healthcare Service Agent when changes are made to the data store.

As a best practice, leverage multiple projects to further isolate the permissions given to the Cloud Healthcare Service Agent.